CVE-2026-39395

| EUVD-2026-19919 MEDIUM
2026-04-07 GitHub_M GHSA-w6c6-c85g-mmv6
4.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch Released
Apr 08, 2026 - 02:30 nvd
Patch available
Analysis Generated
Apr 07, 2026 - 20:16 vuln.today
EUVD ID Assigned
Apr 07, 2026 - 20:16 euvd
EUVD-2026-19919
CVE Published
Apr 07, 2026 - 20:06 nvd
MEDIUM 4.3

Tags

Authentication Bypass

Description

Cosign provides code signing and transparency for containers and binaries. Prior to 3.0.6 and 2.6.3, cosign verify-blob-attestation may erroneously report a "Verified OK" result for attestations with malformed payloads or mismatched predicate types. For old-format bundles and detached signatures, this was due to a logic flaw in the error handling of the predicate type validation. For new-format bundles, the predicate type validation was bypassed completely. This vulnerability is fixed in 3.0.6 and 2.6.3.

Analysis

Cosign verify-blob-attestation incorrectly validates attestation signatures and predicate types in versions before 3.0.6 and 2.6.3, allowing remote attackers to bypass integrity verification by submitting malformed attestations or mismatched predicate types that are falsely reported as verified. The vulnerability affects container and binary code signing workflows where attestation integrity is critical for supply chain security.

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

22
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +22
POC: 0

Share

CVE-2026-39395 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy